package com.can.lesson01;

import com.can.lesson01.utils.poolUtil_DBCP;

import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.ResultSet;

public class pool_DBCP {
    public static void main(String[] args) {
        login("can1","123"); //正常登录
//        login(" ' or '1=1","123' or '1=1"); // SQL注入
    }

    //登录业务
    private static void login(String username,String password){
        Connection conn = null;
//        Statement st = null;
        PreparedStatement st = null;
        ResultSet rs = null;
        try {
            conn = poolUtil_DBCP.getConnection();
            //区别
            //prepareStatement 防止SQL注入的本质： 把传递过来的参数 当作字符 包裹起来 '参数'
            //假设字符中存在转义字符，就直接忽略， '会被直接转义
            String sql = "select * from kuangshenjdbc.users where `name`= ? and `password` =?";//预编译SQL 参数用 '?'
            //            st = conn.createStatement();
            st = conn.prepareStatement(sql); //预编译SQL，先写sql，然后不执行
            //手动参数赋值
            st.setString(1,username);
            st.setString(2,password);
            //注意点：sql.Date 数据库 java.sql.Date()
            //       util.Date Java  new Date().getTime() 获得时间戳
//            st.setDate(2,new java.sql.Date(new Date().getTime()));
            //执行
            rs = st.executeQuery();
            while (rs.next()){
                System.out.println(rs.getObject("name"));
                System.out.println(rs.getObject("password"));
                System.out.println("============");
            }
        } catch (Exception e) {
            e.printStackTrace();
        } finally {
            //6.释放连接
            poolUtil_DBCP.release(conn,st,rs);
        }
    }
}
